Skip to content

[NEW] Setting to block unauthenticated access to avatars#9749

Merged
sampaiodiego merged 10 commits intoRocketChat:developfrom
Hudell:block_unauthenticated_access_to_avatars
Aug 17, 2018
Merged

[NEW] Setting to block unauthenticated access to avatars#9749
sampaiodiego merged 10 commits intoRocketChat:developfrom
Hudell:block_unauthenticated_access_to_avatars

Conversation

@Hudell
Copy link
Copy Markdown
Contributor

@Hudell Hudell commented Feb 16, 2018

@RocketChat/core

Closes #3480

@geekgonecrazy geekgonecrazy added this to the 0.62.0 milestone Feb 16, 2018
@geekgonecrazy
Copy link
Copy Markdown
Contributor

geekgonecrazy commented Feb 16, 2018

This looks good to me. @rodrigok thoughts on this being enabled by default? Should this be a setting or just default?

@geekgonecrazy geekgonecrazy removed this from the 0.62.0 milestone Feb 16, 2018
@geekgonecrazy
Copy link
Copy Markdown
Contributor

geekgonecrazy commented Feb 16, 2018

Looks like this will break mobile apps. We need to get them on track to passing authentication along before we put this in a release.

graywolf336
graywolf336 previously requested changes Apr 18, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@graywolf336 graywolf336 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this option, however it does break how everything currently accesses the avatars. So, how about we add a new setting (yes another one) that defaults to false and then after three releases we make it enabled by default? Then if the NODE_ENV is something other than production, let's log a warning every thirty minutes or so after it's been accessed (so it's not spammy)...or we can somehow notify developers/admins that avatars will soon be protected?

@sampaiodiego
Copy link
Copy Markdown
Member

sampaiodiego commented Apr 18, 2018

agreed on adding a setting for that, just like we have for file uploads.

agreed as well on a throttled log on server saying avatars will be protected after three releases if the request does not have any authentication

@sampaiodiego sampaiodiego added this to the 0.68.0 milestone Jul 18, 2018
sampaiodiego
sampaiodiego previously requested changes Jul 18, 2018
View reviewed changes
Copy link
Copy Markdown
Member

@sampaiodiego sampaiodiego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Hudell can you please do the requested changes? thx

@sampaiodiego sampaiodiego mentioned this pull request Jul 18, 2018
Closed
@theorenck theorenck modified the milestones: 0.68.0, Short-term Jul 31, 2018
@Hudell Hudell dismissed stale reviews from graywolf336 and sampaiodiego August 2, 2018 14:50

Changes were made

@sampaiodiego sampaiodiego changed the title [FIX] Block unauthenticated access to avatars [NEW] Setting to block unauthenticated access to avatars Aug 17, 2018
@sampaiodiego sampaiodiego merged commit 06c1d5e into RocketChat:develop Aug 17, 2018
@sampaiodiego sampaiodiego mentioned this pull request Aug 28, 2018
Merged
@theorenck theorenck removed this from the Short-term milestone Dec 12, 2018
@AllanWang AllanWang mentioned this pull request Mar 4, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sampaiodiego sampaiodiego sampaiodiego approved these changes

+1 more reviewer

@graywolf336 graywolf336 graywolf336 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Hudell @geekgonecrazy @sampaiodiego @graywolf336 @theorenck @pierre-lehnen-rc